Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Flask is a very popular Python based web framework. The author was poking around their tech stack and noticed a library called Flask_Session, which was used for server-side session application management. This can be Redis or Memcached as the backend for it.

In previous talk at Black hat 2014 by Ivan Novikov they used a Memcache injection to get RCE via bad data deseralization. Even more recently, a SSRF in vBulletin got RCE by arbitrarily serialized data injection into Memcached.

Memcached is a newline based protocol when communicating with it. So, being able to add unescaped CRLF to the keys or values would allow for adding in extra commands. The two main commands are set and get.

When calling save_session() to store the information in memcached the set() call doesn't escape CSRF. As a result, a controlled session can be used to get control over arbitrary commands.

Since \r\n can't be used in an HTTP call, we have to escape them in the header. According to the HTTP spec (which I didn't know) this can be done by octal encoding them with a slash. For instance, \015\012 works for this.

I think they add in a pickle payload, which will then be processed by memcache, in order to get RCE. Overall, a super interesting bug class that I hadn't considered!